07-23-2012 07:28 AM - edited 07-03-2021 10:26 PM
Hi
I am looking for a decent guide on how to configure the following to all work together
Cisco wireless lan controller 2500 - (which is already configured and working with the LAP's), I just need to get authentication working for our coporate lan.
It needs to use 802.1x wireless authentication with with a windows 2008 R2 NPS server that links into active directory. We also have a CA installed on our network.
I need to use EAP-TLS which I believe uses both client and server side certificates and is more tricky than PEAP.
I also need the windows 7 client settings for EAP-TLS to work with NPS and the controller/AP
Getting everything to work together if proving rather difficult.
There must be an upto guide out there, all the ones I have read include some cisco client side software which we wont be using and normally a older IAS server not NPS.
This is the config of my WLAN, should this work for EAP-TLS?
WLAN Identifier.................................. 1
Profile Name.....................................
Network Name (SSID)..............................
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 10 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ vlan xx
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ x.x.x.x 1812
Accounting.................................... x.x.x.x 1813
Dynamic Interface............................. Enabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
07-23-2012 01:15 PM
I don't think you will find any one guide on this... This can help you get started, but its for PEAP, which is just requires minor changes on the NPS and the cleint side configuration. IAS and NPS are very similar in the configuration also.
http://pcloadletter.co.uk/2011/07/11/cisco-wifi-active-directory-auth/.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide